// https://syzkaller.appspot.com/bug?id=edc4bdcf9437492a8287e70f7c3c4231511fe690 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) { continue; } kill_and_wait(pid, &status); break; } } } #ifndef SYS_compat_50_mknod #define SYS_compat_50_mknod 14 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_open #define SYS_open 5 #endif #ifndef SYS_pwritev #define SYS_pwritev 290 #endif uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; memcpy((void*)0x20000080, "./file0\000", 8); syscall(SYS_compat_50_mknod, 0x20000080ul, 0x2000ul, 0x400); memcpy((void*)0x20000040, "./file0\000", 8); res = syscall(SYS_open, 0x20000040ul, 2ul, 0ul); if (res != -1) r[0] = res; *(uint64_t*)0x20000280 = 0; *(uint64_t*)0x20000288 = 0; *(uint64_t*)0x20000290 = 0x200000c0; memcpy((void*)0x200000c0, "\xd2\x51\xa5\xb7\xe2\xec\x9d\xd1\x9c\xa7\x04\x4d\x61\x5a\x8f\x92\xd4" "\x74\xd0\x2b\x3f\x9c\x26\x2a\x3f\x49\x82\xeb\x43\xef\x74\xcd\xbf\xb3" "\x8e\x23\xf7\x24\xed\x84\x09\x69\xde\xda\x41\x80\x72\x0a\xbd\xa3\x8f" "\xc0\x93\x0f\x6b\xa4\x9a\x4f\xe2\x2e\xb5\x07\x8d\xf5\xc8\xec\x75\xcf" "\x1e\x7e\x2c\x60\xe0\x45\xa4\x2a\x31\x19\x35\x74\xdc\x1d\x4c\xbb\x80" "\x6e\x6c\x06\x7d\x88\xbf\xe7\x59\xa0\xc1\x24\x95\x45\x22\x06\x39\xe7" "\xcb\x23\x06\x8f\x88\x39\xa6\xd6\xe0\x9f\xc1\xec\x85\xb0\xc3\x74\x79" "\x3f\xe1\xee\xa2\xc9\x55\x0e\x7f\x10\x47\x14\x10\xdd\xd2\xd1\xf5\xa8" "\x66\x5a\x07\x2f\x1c\xfe\x62\x2b\x12\xac\x41\x4f\x5c\xed\x4b\x07\x02" "\xab\xb2\xf2\x92\xad\x75\x50\xb8\x54\x86\xb6\x0c\x7c\xe4\x4e\x35\x84" "\x8f\x66\xfa\x16\x5e\x4e\x1b\xa0\xeb\x3d\xb0\x08\xef\x0a\xf9\x68\x2d" "\xd6\xcc\xcc\x03\x39\x43\x83\x76\xa1\x86\x9e\xee\xc3\x24\x52", 202); *(uint64_t*)0x20000298 = 0xca; *(uint64_t*)0x200002a0 = 0x20000000; memcpy((void*)0x20000000, "\x86\x28\x6b\x31\x5e\xad\xf0\xd5\x86\xba\xd1\xef\x34\xae\xad\x50\xa2" "\x06\x95\x81\x07\x09\x82\xff\x5a\xd9\x64\xd3\x3c\x40\x3d\x4f\x82\x0e" "\xe3\xbf\x6b\x16\xf9\xed\xa3\xe5\x92\x66\xd9\x2a\x05\xad\xbd\x64\x7a" "\x97\x91\x74\x72\xd0\xca\x69\x25\xc2\x0b\x34\x8f\xb2", 64); *(uint64_t*)0x200002a8 = 0x40; *(uint64_t*)0x200002b0 = 0; *(uint64_t*)0x200002b8 = 0; *(uint64_t*)0x200002c0 = 0; *(uint64_t*)0x200002c8 = 0; *(uint64_t*)0x200002d0 = 0; *(uint64_t*)0x200002d8 = 0; *(uint64_t*)0x200002e0 = 0; *(uint64_t*)0x200002e8 = 0; syscall(SYS_pwritev, r[0], 0x20000280ul, 7ul, 0x40000000000005ul); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }